IW: What qualifications do you look for when hiring a security consultant?

KB: I want to see a demonstrated aptitude for my specific project. I am not looking for a generalist; however, broad industry knowledge is critical. Qualifications will also include the nontechnical aspects of a candidate’s repertoire. The person’s ability to comprehend the nuances of the requirements can make the difference in the success and failure of any given project. The ability for the individual to “talk” on different levels is also important when interaction with nontechnical personnel is required.

IW: To what degree do a candidate’s professional certifications factor into your decision?

KB: Actually, for me personally, experience and word-of-mouth recommendation outweighs paper qualifications. Qualifications and a lot of initials after someone’s name only proves to me that the person can follow textbooks and the preset curriculum of the governing body. Individuals that do not possess real-world practical application and hands-on experience are missing the vast majority of the ingredients to be effective in the field.

IW: How important is the reputation of the consultant firm?

KB: Reputation is critical, as it tends to define the perception of the entire firm not just the individuals. However, reputations can be very subjective, and discovering the true value of a firm can be a quest. I often seek the opinions of my colleagues in the industry when making selections as well as independent research. Let’s face facts, every firm and individual has made mistakes. I am not easily swayed by references that indicate that their experience with the firm or individual was without trials and tribulations. I want to hear the dirt and sort it out for myself.

IW: What key questions are you likely to ask a candidate in an interview?

KB: I don’t need an education from a candidate about the IT Industry. My goal is to seek answers about the person’s integrity and drive, such as: Why IT? Why security? Why consulting? Name two things that you wish were different about yourself. … Security consultants can be dangerous; you really need to know who you are dealing with. I am very skeptical and interview very few people.

IW: Would you be more or less likely to hire a consultant for security functions than for other IT issues?

KB: Security consultants have an advantage over general IT staff members. They can see a picture of the environment from the outside and have the unique perspective to find vulnerabilities that are not obvious to the IT staff.